CVE-2021-39250
Description
Invision Community (aka IPS Community Suite or IP-Board) before 4.6.5.1 allows stored XSS, with resultant code execution, because an uploaded file can be placed in an IFRAME element within user-generated content. For code execution, the attacker can rely on the ability of an admin to install widgets, disclosure of the admin session ID in a Referer header, and the ability of an admin to use the templating engine (e.g., Edit HTML).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Invision Community/Invision Communitydescription
- Range: <4.6.5.1
Patches
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- invisioncommunity.com/release-notes/4651-r102/mitrex_refsource_MISC
- ssd-disclosure.com/ssd-advisory-ip-board-stored-xss-to-rce-chain/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.